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DETAILED ACTION 

Specification 

1 . The specification is objected to as failing to provide proper antecedent basis for 
the claimed subject matter. See 37 CFR 1.75(d)(1) and MPEP § 608.01 (o). Correction 
of the following is required: In claims 213-227, several terms for example, "digital 
identities," "Master Business Associate Contract template," "covered entities," 
"multilateral contractual agreements", "MBAC database," "self-certification provisions," 
appear to lack support in the specification. With respect to the "interactive means" and 
"means for a covered entity," "non-negotiable terms," "self-certified covered entities," 
"self-certified business associates," "electronic signature," "affidavit," etc., 37 CFR 

1 .75(d)(1 ) provides, in part, that "the terms and phrases used in the claims must find 
clear support or antecedent basis in the description so that the meaning of the terms in 
the claims may be ascertainable by reference to the description." While the above list 
is not exhaustive, applicant should review the above claims for all other terms lacking 
antecedent support. No new matter should be added. 

Claim Rejections - 35 USC §112 

2. The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

3. Claims 21 3-227 are rejected under 35 U.S.C. 1 1 2, second paragraph, as being 
indefinite for failing to particularly point out and distinctly claim the subject matter which 
applicant regards as the invention. When the examiner considers the "digital identities," 
"Master Business Associate Contract template," "covered entities," "multilateral 
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contractual agreements", "MBAC database," "self-certification provisions," appear to 
lack support in the specification. With respect to the "interactive means" and "means for 
a covered entity," "non-negotiable terms," "self-certified covered entities," "self-certified 
business associates," "electronic signature," "affidavit," etc., the scope of the claims are 
unclear so as not to insure that the public is informed of the boundaries of what 
constitutes infringement of the patent. Furthermore, it is unclear as to what applicants 
regard as the invention so that it can be determined whether the claimed invention 
meets all the criteria for patentability and whether the specification meets the criteria of 
35 U.S.C. 112, first paragraph with respect to the claimed invention. MPEP 2173. 
Claim Rejections - 35 USC § 102 

4. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 1 02 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1 ) an application for patent, published under section 1 22(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351 (a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

5. Claims 213-241 are rejected under 35 U.S.C. 102(e) as being anticipated by 
Lewis. (US 2004/0015432). 

6. With respect to claims 213-227, Lewis generally teaches identical limitations in 
claims 1-15. 

7. With respect to claims 228-241, Lewis teaches all of the limitations of the 
claims, specifically: 
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8. With respect to claim 228, Lewis teaches a method for creating and managing 
contractual relationships among interacting parties under a privacy standard, said 
interacting parties comprising (1 ) "covered entities" and (2) "business associates" 
between which private information is exchanged, said method comprising the steps of: 
issuing digital certificates(i.e. digital identities) to the interacting parties (i.e. contracting 
parties); providing community rules (i.e. MBAC) having a minimum standard based on 
said privacy standard (i.e. HIPAA non-negotiable terms) requiring compliance (i.e. 
observation) of said privacy standard with respect to said private information (i.e. private 
data); providing an electronic interface accessible to said interacting parties to facilitate 
negotiating and entering binding agreements among at least one of said covered 
entities and a plurality of said business associates pursuant to the terms of said 
community rules; and storing said binding agreements in a database, (i.e. similar to 
claim 1). 

9. With respect to claim 229, Lewis teaches the method according to claim 228, 
further comprising the step of providing certificates of compliance certifying that said 
interacting parties comply with said community rules, (i.e. self-certification provisions 
and covered entities/business associates of claim 2). 

10. With respect to claim 230, Lewis teaches the method according to claim 228, 
wherein said electronic interface facilitates negotiating additional requirements with 
respect to use or disclosure of said private information, (i.e. claim 3). 

1 1 . With respect to claim 231, Lewis teaches the method for creating and 
managing contractual relationships among interacting parties under a privacy standard, 
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said interacting parties comprising (1 ) "covered entities" and (2) "business associates" 
between which private information is exchanged, said method comprising the steps of: 
issuing digital certificates to the interacting parties (i.e. digital identities); providing 
community rules (i.e. MBAC) having a minimum standard based on said privacy 
standard (i.e. HIPAA non-negotiable terms) requiring compliance (i.e. observation) of 
said privacy standard with respect to said private information (i.e. private data); 
providing certificates of compliance certifying that said interacting parties comply with 
said community rules (i.e. self-certification provisions and covered entities/business 
associates); providing an electronic interface accessible to said interacting parties to 
facilitate negotiating and entering binding agreements among at least one of said 
covered entities and a plurality of said business associates pursuant to the terms of said 
community rules; and storing said binding agreements in a database, (i.e. substantially 
claim 4). 

12. With respect to claim 232, Lewis teaches the method according to claim 231 , 
wherein said step of providing certificates of compliance comprises the steps of: 
validating said certificate of compliance (i.e. self-certification by electronically signing 
self-certification affidavit); and storing said certificate of compliance in said database, 
(i.e. claim 5). 

13. With respect to claim 233, Lewis teaches the method according to claim 231 , 
wherein said electronic interface facilitates negotiating additional requirements with 
respect to use or disclosure of said private information, (i.e. claim 7). 
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14. With respect to claim 234, Lewis teaches the method according to claim 231 , 
wherein said electronic interface (i.e. electronic interface, interactive means)facilitates a 
covered entity to offer and a business associate to accept said community rules having 
said minimum standard, (i.e. claim 7 and 8). 

15. With respect to claim 235, Lewis teaches the method according to claim 231 
further comprising the step of querying a target member (i.e. multilateral contractual 
agreement) for permission to disclose selected private information to said target 
member (i.e. self-certified business associate). 

16. With respect to claim 236, Lewis teaches the method according to claim 231 , 
wherein said electronic interface comprises the internet, (i.e. claim 10). 

1 7. With respect to claim 237, Lewis teaches the method for creating and 
managing contractual relationships among interacting parties under a privacy standard 
applicable to protected health information (PHI), said interacting parties comprising (1) 
"covered entities" and (2) "business associates" between which private information is 
exchanged, said method comprising the steps of: issuing digital certificates to the 
interacting parties (i.e. (a)); providing community rules having a minimum standard 
based on said privacy standard requiring compliance of said privacy standard with 
respect to said PHI (i.e. (b)); providing an electronic interface accessible to said 
interacting parties to facilitate negotiating and entering binding agreements among at 
least one of said covered entities and a plurality of said business associates pursuant to 
the terms of said community rules (i.e. (e)); providing an agreement for said interacting 
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parties to certify adherence to said privacy standard by electronic signature (i.e. (c)); 
and storing said agreement in a database (i.e. (d)). 

18. With respect to claim 238, Lewis teaches the method according to claim 237, 
wherein said electronic interface facilitates negotiating additional requirements with 
respect to use or disclosure of said PHI. (i.e. claim 12). 

19. With respect to claim 239, Lewis teaches the method according to claim 237, 
wherein said electronic interface facilitates a covered entity to offer and a business 
associate to accept said community rules (i.e. MBAC non-negotiable terms) having said 
minimum standard, (i.e. claim 13). 

20. With respect to claim 240, Lewis teaches the method according to claim 237, 
further comprising the step of querying a target member (i.e. signed contractual 
agreements in MBAC database) for permission to disclose selected PHI to said target 
member (self-certified entity/identity such as business associate), (i.e. claim 14). 

21 . With respect to claim 241, Lewis teaches the method according to claim 237, 
wherein said electronic interface comprises the internet, (i.e. claim 15). 

Claim Rejections - 35 USC § 103 

22. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 
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23. Claims 213-217 and 219-227 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Keinsley et al. (US 2003/0154403) in view of Smithies 
(5,818,955) and further in view of 65 Fed. Reg. 82796 (Dec. 28, 2000). 

24. With respect to claims 213, 214, 216, 228-229, and 231, Keinsley et al. 
teaches a method for creating and managing multilateral contractual relationships (i.e. 
Para. 0176) among contracting parties under a privacy standard (ie. HIPAA regulations 
inherently require privacy standards, i.e. Para. 0118-0121), said contracting parties 
comprising (1) "covered entities" receiving data of customers and creating, recording, 
using, and disclosing private data of such customers in the ordinary course of business, 
and (2) "business associates" requiring the use of said private data (i.e. Para. 0176), 
said method comprising the steps of: assigning digital identities/certificates to the 
contracting/interacting parties and providing certificates/self-certifications (ie. Para. 

01 1 7-01 1 8 and 01 64); generating a database of digital identities (i.e. Para 01 66-01 68 or 
0695); providing an electronic interface (ie. Para 01 17) accessible to said digital 
identities/certificates to facilitate negotiating and entering binding multilateral 
contractual agreements/agreements among at least one of said covered entities and a 
plurality of said business associates pursuant to the terms of said MBAC 
template/community rules; and storing said multilateral contractual agreements or 
binding agreements in a database (i.e. Para. 0088). Keinsley et al. also teaches that 
contracting parties can be prompted with legal agreements upon signing in to a system 
as a user, (as identified above in the certification/MBAC template agreement references 
above). Keinsley et al also teaches that new or other legal agreements or conditions 
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can be added for which the user will have to agree (i.e. Para. 0615). In the least, 
Keinsley et al. teaches prompting of multiple agreements upon signing into a HIPAA 
database. 

With respect to claims 214, 216, 229, and 231, Keinsley et al. fails to teach the 
additional step of providing self-certification provisions/certificates of compliance in said 
MBAC/community rules for contracting/interacting parties to certify adherence to said 
privacy standard. However, Smithies provides a document and signature verification 
system including a sample self-certification or certificate of compliance type form (Fig. 
3A). While the sample form does not explicitly state adherence to said privacy standard, 
it is clear that the self certification/certificate of compliance forms can be modified to 
adhere to any contractual agreement or community rule. It would have been obvious to 
one of ordinary skill in the art, at the time of invention of electronic contractual 
agreements/community rules to modify the Keinsley et al. legal agreements to include 
self-certification and electronic signature or certificates of compliance to certify 
compliance as taught by Smithies for the fact that self-certification and certificates of 
compliance allow for the formation of agreements that would otherwise not be binding to 
become binding in a quick, inexpensive, and efficient way. 

With respect to claims 213, 216, 228, and 231, Keinsley et al. also does not 
appear to explicitly recite providing a multilateral Master Business Associate Contract 
(MBAC) template having non-negotiable terms or community rules having a minimum 
standard, requiring observation/compliance of said privacy standard with respect to said 
private data of a customer. The Federal Registrar teaches that Federal rules require 
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non-negotiable terms or "community rules" that require observation/compliance with 
privacy standards with respect to customer data. For example, Section 164.530 requires 
an entity to maintain specific policies and procedures in written or electronic form to 
protect health information. It would have been obvious to one skilled in the art of 
contractual agreements or "community rules" to modify the method for creating 
contracts of Keinsley et al. with the non-negotiable terms or minimum standards for 
community rules as taught by the Federal Registrar in order to protect the privacy of the 
medical data of customers. Motivation is evident based on the fact that these 
agreements are common and any automation would save a great deal of time. 

25. With respect to claims 215, 219, 230, and 233, the combination of Keinsley et 
al., Smithies and 65 Fed. Reg. 82796 teach all of the limitations of claims, such that 
Keinsley et al. specifically teaches an electronic interface including interactive means for 
negotiating additional terms with respect to use or disclosure of said private data. (i.e. 
Para 01 17). It should be noted that given the objection and rejections above, the 
examiner has interpreted interactive means under its broadest reasonable 
interpretation. Simply the language is interpreted to be a computer or otherwise that is 
connected to the web/internet capable of facilitating additional negotiation. 

26. With respect to claims 217 and 232, the combination of Keinsley et al., teaches 
all of the limitations of claims, including signing an agreement (i.e. Para. 0622), except 
for explicitly reciting that additional step of providing self-certification 
provisions/certificates of compliance in said MBAC/community rules for contracting 
parties to certify adherence to said privacy standard by providing a self-certification 
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affidavit for self-certification by electronic signature/validation and storing the 
affidavits/certificates of compliance in a database. 

However, Smithies provides a document and signature verification system 
including a sample self-certification/certificate of compliance form (Fig. 3A). While the 
sample form does not explicitly state adherence to said privacy standard, it is clear that 
the self certification/compliance forms can be modified to adhere to any contractual 
agreement or community rule established. It would have been obvious to one of 
ordinary skill in the art, at the time of invention of electronic contractual agreements and 
community rules to modify the Keinsley et al. legal agreements/rules related to privacy 
of HIPAA regulations to include self certification with electronic signature or certificate of 
compliance validation as taught by Smithies for the fact that self-certification and 
validation allows for agreements/rules that would otherwise not be binding to become 
binding in a quick, inexpensive, and efficient way. 

27. With respect to claim 223 and 237, these claims introduces no substantial 
limitation over claims 213, 216, 217, 228, 231, and 232 respectively, and is therefore 
rejected under a similar rational. 

28. With respect to claims 220, 225, 234, and 239, the combination of Keinsley et 
al., Smithies and 65 Fed. Reg. 82796 teaches all of the limitations of claims 216, 223, 
231 and 237 such that Keinsley et al. specifically teaches an interactive means includes 
means or electronic interface for a covered entity to offer and for a business associate 
to accept said non-negotiable terms in the MBAC or community rules having a minimum 
standard, (i.e. Para 01 17, providing for a computer capable of facilitating the offer and 
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acceptance). It should be noted that given the objection and rejections above, the 
examiner has interpreted interactive means under its broadest reasonable 
interpretation. Simply the language is interpreted to be a computer or otherwise that is 
connected to the web/internet capable of facilitating additional negotiation. 

29. With respect to claims 221, 226, 235, and 240, the combination of Keinsley et 
al., Smithies and 65 Fed. Reg. 82796 teaches all of the limitations of claims 216 and 
223, such that Keinsley et al. inherently teaches the additional step of: accessing a 
selected multilateral contractual agreement in said MBAC database or querying a target 
member for permission to disclose selected private data/information to, for example, a 
selected self-certified business associate. In fact, the determination of whether a user 
has agreed to contractual agreement/rules is contingent upon knowing whether your 
user is authorized. For example, Keinsley teaches storing your agreement, (i.e. Para. 
0690 and 0695). 

30. With respect to claims 222, 227, 236, and 241, in the least Keinsley et al. 
teaches an electronic interface comprising the internet, (i.e. Para 01 17). 

31 . With respect to claim 224, 238, the combination of Keinsley et al., Smithies and 
65 Fed. Reg. 82796 teaches all of the limitations of claims 1 1 , such that Keinsley et al. 
specifically teaches an electronic interface including interactive means/electronic 
interface for negotiating additional terms with respect to use or disclosure of said PHI 
data. (i.e. Para 0117; PHI data is the data being stored in HIPAA context). It should be 
noted that given the objection and rejections above, the examiner has interpreted 
"interactive means" under its broadest reasonable interpretation. Simply the language 
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is interpreted to be a computer or otherwise that is connected to the web/internet 
capable of facilitating additional negotiation. 

32. Claim 218 is rejected under 35 U.S.C. 103(a) as being unpatentable over 
Keinsley et al. (US 2003/0154403) in view of Smithies (5,818,955) and 65 Fed. Reg. 
82796 (Dec. 28, 2000) as applied to claim 4 above and further in view of 
Examiner's Official Notice. 

33. As per claim 218, Examiner takes Official Notice that warranty clauses are 
extremely old and well known in the art of contract negations. It would have been 
obvious to one skilled in the art, at the time of invention for contract negotiations to have 
a warranty clause in the MBAC since the creation of a warranty clause allows for more 
complete negotiation and prevents future litigation. 

Conclusion 

The Examiner has pointed out particular references contained in the prior art of 
record, within the body of this action for the convenience of the Applicant. Although the 
specified citations are representative of the teachings in the art and are applied to the 
specific limitations within the individual claim, other passages and figures may apply. 
Applicant, in preparing the response, should consider fully the entire reference as 
potentially teaching all or part of the claimed invention, as well as the context of the 
passage as taught by the prior art or disclosed by the Examiner. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Michael M. Thompson whose telephone number is (571) 
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270-3605. The examiner can normally be reached on Monday thru Friday 8am-5:30 
except Friday. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, John Weiss can be reached on (571) 272-6812. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Michael M Thompson/ 
Examiner, Art Unit 3629 
July 31, 2008 

/John G. Weiss/ 

Supervisory Patent Examiner, Art Unit 3629 



